A Contest to Train Cyber Combatants

Cyber-defense and capture-the-flag contests will help train future defenders of cyberspace.

In the 1950s, shocked by the Russians’ launch of Sputnik, the United States embarked on an initiative to boost its numbers of scientists and engineers. Now, private industry, academics, and government agencies are banding together to create a similar push to educate and train at least 10,000 students to become the future defenders of cyberspace.

Alan Paller, director of research for the SANS Institute, an organization that educates and trains system administrators and computer engineers, says that schools aren’t turning out enough students with the technical know-how to defend critical networks. “This shortage is as tough as the shortage of scientific people we had in the 1950s,” Paller says. “The country has about 1,000 people that could compete in a cyber competition at a high level today. We actually need between 20,000 and 30,000.”

The consortium behind the U.S. Cyber Challenge hopes that the competitions will boost interest in practical network-administration and computer-security skills. The aim is “training and developing that workforce and getting people excited about digital forensics and training them to work for us,” says Jim Christy, director of future exploration for the U.S. Department of Defense’s Cyber Crime Center (DC3).

The U.S. Cyber Challenge brings together three competitions under a single umbrella. First is the DC3’s Digital Forensics Competition, which pits teams against one another to solve a number of puzzles that an expert might come across when investigating a crime. For example, entrants have to analyze file signatures, check out suspicious software, decrypt files without the password, and parse header files for interesting information. The competition has already proven extremely popular: Nearly 600 teams have registered so far this year, compared to 199 teams last year. The DoD is also considering offering a massive cash prize, up to $1 million, to increase interest in solving the top level of problems: challenges with no known current solution, such as getting data off a severely damaged hard drive.

The second contest is a capture-the-flag competition run by the SANS Institute and designed for college students and high-achieving high-school students. Known as NetWars, the competition is played on a virtual private network over the Internet, using a custom operating-system image created by a small group that runs the game. Teams get points for attacking other teams’ virtual machines and controlling certain services and files–the “flags.”

“It’s mostly attack to start out with,” says Ed Skoudis, cofounder of security firm InGuardians and an advisor to the SANS Institute for the game. The result is a fair simulation of attack and defense in cyberspace, Skoudis asserts. Participants try to exploit weaknesses in their rivals’ systems and then defend the systems they compromised from the other attackers.

A third competition aims to develop high-school students’ knowledge of network defense. The CyberPatriot High School Cyber Defense Competition, which is in its second year, teaches students the difficulty of protecting computer networks against attacks. In the first contest, eight teams competed against each other. This year, 266 schools have signed up, says Gregory White, an associate professor with the University of Texas at San Antonio and the director of the university’s Center for Infrastructure Assurance and Security, which runs the program along with the Air Force Association.

Earlier this week, the Partnership for Public Service and consultants at Booz Allen Hamilton released a report concluding that the lack of cybersecurity skills in the federal workforce leaves the “potential for major vulnerabilities for our national security.” The Obama administration, too, in its recently released Cyberspace Policy Review, flagged the shortage of well-educated cybersecurity professionals as a problem of national importance.

Aside from potentially funding the forensics challenge, the federal government has not announced funding for the U.S. Cyber Challenge. However, companies such as Google and state governments such as Delaware’s have already expressed interest in taking part.”If you wait for a committee to do something, you will be waiting for a long time,” White says. “[Government officials] seem to be interested, but that has not translated to funding.”